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ABSTRACT 



In a data exchange system working with processor chip 
cards, a chip card transmits coded identification data I, 
v and, proceeding from a random, discrete logarithm r, 
an exponential value x=2'(raod p) to the subscriber 
who, in turn, generates and transmits a random bit se- 
quence e to the chip card. By multiplication of a stored, 
private key s with the bit sequence e and by addition of 
the random number r, the chip card calculates a y value 
and transmits the y value to the subscriber who, in turn, 
calculates an x value from the information y, vy and e 
and checks whether the calculated x value coincides 
with the transmitted x value. For an electronic signa- 
ture, a hash value e is first calculated from an x value 
and from the message m to be signed and a y value is 
subsequently calculated from the information r, syand e. 
The numbers x and y then yield the electronic signature 
of the message m. 



11 Claims, 3 Drawing Sheets 
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METHOD FOR IDENTIFYING SUBSCRIBERS 
AND FOR GENERATING AND VERIFYING 
ELECTRONIC SIGNATURES IN A DATA 
EXCHANGE SYSTEM 

BACKGROUND OF THE INVENTION 

1. Field of the Invention : 

The present invention relates to a method for identi- 
fying subscribers and for generating and verifying elec- 
tronic signatures in a data exchange system working 
with processor chip cards, using identification data 
coded in a center with respective subscriber-related 
known ciphers and stored in the respective chip card 
and with secret ciphers having a logical relationship to 
the known ciphers, whereby random number-depend- 
ent check data are mutually exchanged between the 
subscribers. 

2. Description of the Prior Art 
Important prerequisites for data security in modern 

communication systems are: 

(a) the mutual identification of the communicating 
partners participating in the system; 

(b) the authentication of the transmitted and stored 
data; 

(c) the coding of the transmitted and stored data; and 

(d) checking the authorship of the transmitted data. 
As is known, a high degree of data security can only 

be achieved by utilizing cryptographic methods that 
enable an identification and authenticity check of mes- 
sages, subscribers and equipment beyond all doubt 
What is generally understood by cryptography is a 
coding of the data for secrecy purposes. In addition to 
this doubtlessly-important crypto function, however, 35 
other functions, particularly checking the authenticity 
and authorship or generating electronic signatures are 
gaining increasing significance. 

Symmetrical or asymmetrical coding algorithms can 
be employed for realizing cryptographic functions. 40 
Given a symmetrical algorithm, for example the DES 
algorithm (data incryption standard), identical keys are 
employed for coding and decoding. Symmetrical cryp- 
tosystems are particularly suitable when larger data sets 
have to be transmitted at a high rate. By contrast, disad- 45 
vantages derive due to a relatively difficult cryptoman- 
agement because the transmitter and the receiver must 
have the same key and a reliable channel is required for 
the transmission of the key respectively employed. 

In asymmetrical cryptosystems, different ciphers are 50 
employed for coding and decoding, such that, for exam- 
ple, the key for coding is known and the key for decod- 
ing is secret. The latter is only known to the receiver. 
On asymmetrical cryptosystems, for example, the RSA 
algorithm named after the inventors Rivest Shamir and 55 
Adlemann that requires a comparatively high techno- 
logical outlay and correspondingly long run times de- 
pendent on the length of the cipher employed but that 
satisfies high security requirements on the basis of the 
special cryptosystem. The asymmetrical cryptosystem 60 
is ideally suited for assigning a message to be transmit- 
ted. The message to be signed is thereby coded with the 
secret key of the signee and can be decoded by anyone 
that knows the public key. This "electronic signature" 
not only contains the personal feature (possession of . 65 
private or secret key of the signee but also involves the 
signed texti with the consequence that the receiver 
recognizes any change in the text. Message and signa- 



ture are therefore invariably linked via the key algo- 
rithm. 

The utilization of modern cryptographic equipment is 
intimately connected to the . introduction as what are 
referred to as multi-functional processor chip cards. 
The processor chip card not only enables versatile ap- 
plications but is also employed for accepting the neces- 
sary security components (secret key and cryptoal- 
gorithm) in order to guarantee an identification of the 
user and a reliable authentication of the card and of the 
message exchanged. 

Presently known algorithms for electronic signatures, 
particularly the RSA algorithm (in this connection see 
U.S. Pat. No. 4,405,829), fully incorporated herein by 
this reference or the algorithm developed by A. Fiat 
and A. Shamir (European patent application Ser. No. 
0,252,499) require either a high memory outlay or, inso- 
far as they can be accommodated at all in the chip be- 
cause of extensive and complicated arithmetic opera- 
tions, particularly, multiplications, require a great deal 
of time, so that they are only conditionally suitable for 
utilization in chip cards. 

SUMMARY OF THE INVENTION 

It is therefore an object of the invention to provide 
methods for mutual identification of subscribers of data 
exchange systems and for generating signatures that, 
given essentially the same security guarantees, enable 
shorter run times due to more simple arithmetic opera- 
tions, in comparison to known cryptographic methods. 

The above object is achieved, according to the pres- 
ent invention, in a method for mutual identification of 
subscribers in a data exchange system working with 
processor chip cards, utilizing identification data coded 
in a center with respective subscriber-related known 
keys and stored in the respective chip card and with 
secret keys having a logical relationship to these known 
keys, whereby random number-dependent check data 
are mutually exchanged between the subscribers, and is 
particularly characterized in that the chip card sends 
the coded identification data, potentially together with 
a signature of the center, to the subscribers entering into 
an information exchange with the chip card, this sub- 
scriber checking the correctness of the coded identifica- 
tion data with reference to a known list or with refer- 
ence to the signature of the center, then proceeding 
from a random, discrete algorithm re(l, . . , , p— I), 
where p is a declared prime number modulus, the chip 
card forms an x value according to the rule x:— 2 r (mod 
p) and sends this x value to the subscriber, after which 
the subscriber sends a random bit sequence e=>(e/^/. . . 
t etx,k)t{0 t \} kt to the chip card, and by multiplication of 
the stored secret key sy that likewise represents a dis- 
crete logarithm with a binary number formed from the 
bits of the random bit sequence e transmitted from the 
subscriber to the chip card and by addition of the ran- 
dom number r allocated to the previously-transmitted x 
value, the chip card calculates a number y according to 
the rule 



(mod p-1) 



and transmits the number y to the subscriber, then with 
reference to the number y transmitted to the subscriber, 
the subscriber calculates a number x according to the 
rule 
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* t 



(mod p) 



by a random selection (r^o, x^/)) of the pairs for i= 1, 
...t 



and checks the identity of the chip card user on the basis 
of a comparison between the calculated number x and 
the x value previously communicated to the subscriber. 

According to another feature of the invention, the 
method is particularly characterized in that the chip 
card calculates a x value according to the rule 
x:=2'(mod p) from a random number r generated in the 
chip card and lying in the range between 1 and the 
prime number modulus (p— 1), that the chip card calcu- 
lates a random bit sequence as a function of the x value 
of the message m and of a declared hash function h 
according to the rule e:=h(x, m)"{0,l}*', that the chip 
card calculates a y value from the random number r, 
from the secret ciphers Sy stored in the chip card and 
from the random bit sequence e according to the rule 



/= 1 



(mod p-l) 



(mod p) 



10 



20 



k 

r + 2 si 



(mod p-l) 



and that the chip card sends the message m and the 25 
signature formed from the value x and y to the sub- 
scriber in message communication with the chip card. 

According to another feature of the invention meth- 
ods can be accelerated by discrete logarithms calculated 
in a preliminary process and intermediately stored, 
whereby values once employed are combined in a ran- 
dom fashion with other discrete logarithms in a rejuve- 
nation process. This is exemplified by a method of the 
type set forth above which is particularly characterized 
in that a plurality of random numbers r, and respec- 
tively appertaining x values calculated in a preliminary 
process are stored in pairs in the chip card, in that the 
pair (r, x) employed in an identification procedure and- 

/or signature procedure is varied in such a manner that 

a random number r, after use thereof, is combined with 40 f0 j e Q ^ ^ gf 0U p 2 



30 



35 



According to another feature of the invention, a 
method is particularly characterized by such a selection 
of the prime number modulus p that (p— 1) is divisible 
by a prime number q and by such a selection of the base 
a of the discrete logarithm that 

a9= I (mod p), a=£\(mod p) 

applies, and in that the discrete logarithms y, r, s; are 
calculated modulo q, and in that the key components sj 
and vj are in the relationship vy=a#(mod p). Then a 
plays the role of the base 2 above. 

According to another feature of the invention, a 
method is particularly characterized by such a selection 
of the secret 

key s/ and of the random numbers r that the bit 
lengths of the numbers s/, r and y are shorter than the 
length of the prime number modulus p. 

According to another feature of the invention, a 
method is particularly characterized in that other finite 
groups are employed for the formation of discrete loga- 
rithm instead of the finite groups that arise on the basis 
of residual class formation modulo p. 

According to another feature of the invention, a 
method is particularly characterized in that a group of 
units Zn of the invertible residue classes modula a com- 
posite number n, a group of units of a finite body, an 
elliptical curve over a finite field or the like are pro- 
vided as a finite group. Then this finite group plays the 



a random selection of the remaining stored random 
numbers, and in that the rejuvenated random number 
calculates the appertaining x value and is stored and/or 
used together with the rejuvenated random number r as 
a rejuvenated pair, 45 

A method for verification of a signature generated 
according to the second-mentioned feature is particu- 
larly characterized, with respect to the subscriber re- 
ceiving the signed message m, in that: 

a random bit sequence e is calculated from the mes- 50 
sage m and from the x value of the signature according 
to the rule e:=h(x ,m)e{0,l}*', 

that an x value according to the rule 

, (mod p) 55 

* t 
x » 2y it vj t en 2 f ~' 
/-! '=1 

is calculated from the random bit sequence e v from the 
public key v and from the y value of the signature and 
is checked to see whether the calculated x value coin- 60 
cides with the x value of the signature. 

With respect to rejuvenation, according to another 
feature of the invention, a method is particularly char- 
acterized in that a plurality of random numbers r/ f . . . , 
Xk and their appertaining x values, Xv^^mod p), are 65 
stored in the chip card, and in that the pair of numbers 
(r, x) used in an identification procedure and/or signa- 
ture procedure is rejuvenated in the following manner 



According to another feature of the invention, a 
method for verifying an abbreviated signature gener- 
ated according to the third-mentioned feature at the 
subscriber receiving the signed message m, is particu- 
larly characterized in that: 

a number x is calculated from the transmitted message 
m and from the signature (e, y) according to the rule 



k t 

x = 2V ir »; 2 r tf 2'- 



(mod p) 



and that a check is carried out to see whether tiie e 
value of the signature coincides with the value h (x, m). 

The problem to be solved in practicing the present 
invention is comprised in the difficulty of calculating 
the discrete logarithm. Other, known asymmetrical 
cryptomethods are also constructed on this foundation 
(for example reference may be taken to T. ElGamal, "A 
Public Key Cryptosystem and a Signature Scheme 
Based on Discrete Logarithms", IEEE Transactions on 
Information Theory, Vol. 31, 1985, pp. 469-472; D. 
Chaum, J. H. Evertse, J. van de Graaf, "An Improved 
Protocol for Demonstrating Possession of Discrete 
Logarithms and some Generalizations", Proceedings of 
Eurocrypt '87, Lecture Notes in Computer Science 304, 
(1988), pp. 127-141; T. Beth, "A Fiat-Shamir-like Au- 
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thentication Protocol for the ELGAMAL Scheme", ship; between the public. key v and the identification 

Eurocrypt '88 Abstracts, pp. 41-47). Compared to the string I and monitors the signature of the center in this 

known cryptomethods, the present invention has. the manner. The public key v=(v/. . . vjt) has a logical 

advantage that the arithmetic operations can be com- relationship to the secret key s=(s/. . .sjt) and is defined 

paratively more simply executed in the chip card. This 5 as 
occurs particularly due to the set preliminary process. 

This preliminary process can also be combined with the v y = i -ymod p) for y= l k. 

mentioned cryptosystems of ELGAMAL, CHAUM- where p is a prime number that is at least 512 bits long. 
EVERTSE-van de GRAAF and BETH. In addition, As soon as the secret key s is selected, the correspond- 
especially short signatures can be generated in practic- 10 ing public key v can be easily calculated. The inverse 
ing the present invention. process— calculating the secret key s from the public 

rptpf nFsrKTPnnN of thf DRAWINGS kev v- 13 cannot be implemented because the calculation 
BRIEF DESCRIPTION OF THE DRAWINGS of ^ discrete bgarithm modulo p for such , arge prime 

Other objects, features and advantages of the inven- numbers p is beyond the range of present computers and 
tion, its organization, construction and operation will be 15 algorithms. The component syof the secret cipher is the 
best understood from the following detailed descrip- discrete logarithm modulo p of fp 1 , i.e. 
tion, taken in conjunction with the accompanying 

drawings, on which: sj= -togjv^mod p- \)forj-\ A. 

FIG. 1 is a block diagram of the identification of a 
subscriber in accordance with the present invention; 20 All discrete logarithms refer to the group ZZ* P (the 

FIG, 2 is an illustration of the method steps of the multiplicative group modulo p) and, insofar as not oth- 
invention in the generating of a signature of a message erwise noted, to the base 2. Since the order of the group 
to be transmitted; Z p * is p— 1, the discrete algorithm assumes the value 1, 

FIG. 3 is a diagram of the steps for checking a signa- 2, . . .p- 1. Instead of the finite groups that arise due to 
ture generated according to FIG. 2; 25 re sidual formation modulo p, other finite groups can 

FIG. 4 is a diagram of the method steps of the present ^ so ^e employed for the formation of the discrete loga- 
invention in generating an abbreviated signature; and ritnni) such ^ for example, the group of Z„* of invert- 

FIG. 5 is a diagram of the steps used in the checking ible residue dasses re i at i ve to a composite number n, the 

of the abbreviated signature generated according to group of units of a finite field, an elliptic curve over a 

30 finite field, etc. Knowledge of the group order is not 

DESCRIPTION OF THE PREFERRED required for transferring the method to an arbitrary 

EMBODIMENTS finite group. For example, it is adequate to calculate 

* - T « - < • *n * j i „ M .t,„^w w * tn toe discrete logarithms on the order of magnitude 

In FIG. 1, an example is illustrated how a subscriber , l40 * 

A, for example a chip card belonging to the subscriber, 35 . ' ... . , A • 

proves his identity vLa-vis a subicriber B. for example Ah " « he ,mil f on < \ subscnber genetates ,n 

a chip card terminal. record ste P a random number 

In a data exchange system working with chip cards, p _ {) 

the respective user-related chip cards are issued by one 

or, potentially, more classification centers (government 40 ^ ^ correspondin g exponential value 

representatives, credit card companies or the like), x:=2 r (mod p) 

whereby the issue of the chip cards is not instituted until p 

the identity of the respective user has been checked. . . . . . a tUt> „ 

, ' . r „ i : . The inverse anthmetic process, i.e. calculating the ran- 

The center then prepares a personal identification string , , _ * . . ^ . u 

I for a qualified usTr (name, address, ID number, etc), 45 ^number r fronr the x value is extremely difficult 

attaches the user-related, public key to this identifier P ,s adequately large^The subscnber B there- 

tion string I, this key having potentially been generated has Practically no possibility of discovenng the 

by the user himself, and publishes the pair formed- of ™ dom r m the time available to him. This ^x 

identification string I and the public key v in a publical- value calculated at the subscnber A is transmitted to the 

ly-accessible list. The center itself does not see the se- 50 subscriber B, i.e. to the terminal. Like the aforemen- 

cret key s and can therefore likewise not disclose the tioned secret key s> the random number r is a discrete 

same. The identification string I, the public and secret logarithm. Following therefrom is that calculations at 

keys v, s as well as a declared prime number p are stored the side of the chip card are earned out with discrete 

in the chip card before the card is issued. logarithms and are carried out with the corresponding 

Instead of using a public list, the center can sign each 55 exponential value at the cooperating side, i.e. in the 

pair (I,v). This signature is stored in the chip card and terminal of the subscriber B. 

can be easily checked with the assistance of the public Generating the random number r and the exponential 

key of the center. After the chip cards and/or the public value 

list have been issued, no further interaction with the 

center is necessary, neither for generating nor for 60 x**r{mod p). 

checking signatures and identifications. derived therefrom can be advantageously accelerated 

The identification begins with what is referred to as by a preliminary process that offers and regenerates a 

an initiation. The subscriber A or, respectively, the chip supply of a plurality of pairs each composed of a ran- 

card thereby sends an identification string I and the dom number r and the appertaining x value in the chip 

public key v to the subscriber B or; respectively, to the 65 card. This supply can be set up in the chip card itself or 

appertaining terminal that verifies the identity. Differ- can be externally loaded into the chip card. In an initi- 

ing from known cryptomethods, the public key is veri- ated identification process, one of these pairs can there- 

fied in the terminal, i.e. the terminal checks the relation- fore be immediately accessed, so that the respective x 
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value can be immediately transmitted to the subscriber 
B. 

In the next step, the subscriber B now sends a random 
bit sequence 

to the subscriber A or, respectively, to the chip card. 

After receiving the random bit sequence e, the chip 
card sends a linear combination of the secret key sy 
stored therein — a linear combination dependent on the 
bits of a random bit sequence e — , adds. the current, 
random number r thereto and transmits the numerical 
value y 



3. Finally, the subscriber A calculates a y value from 
the components of the secret key s> random bit se- 
quence or, respectively, hash value e and random num- 
ber r according to the relationship 



k t 

r + I Si X 



(mod p-1) 



10 



k t 
7=1 



2'"' 



(mod p-1) 15 



formed in this manner to the subscriber B. 

The subscriber B now checks whether the y value 
sent to him is the correct answer to the question raised, 
the subscriber A having been asked this question by the 
subscriber B sending the random bit sequence e. In this 
check, the subscriber B calculates the right-hand part of 
the following equation. 



20 



25 



= 2' n vj Z en V~ 1 



(mod p) 



30 



and determines with reference toa comparison whether 
the calculated numerical value x coincides with the x 
value already previously received from the subscriber 
A. This task to be carried out at the subscriber B is, in 
fact, relatively involved; because of the adequate com- 
puter performance usually present in the terminal, it can 
be carried out in a relatively short time. The identifica- 
tion check is therefore terminated, so that the subscriber 
A can initiate further measures insofar as the subscriber 
B identified a coincidence of the two x values. 

By incorporating a message m, the described identifi- 
cation of the subscriber A can be expanded into an 
electronically-generated signature of the subscriber A 
under the message m. This electronic signature allows 
the subscriber B to document the identity of the sub- 
scriber A vis-a-vis a third party, for example a judge. In 
addition to this, it allows the proof that the subscriber A 
has signed the message m beyond all doubt. The follow- 
ing steps must be carried out (see FIG. 2) in order to 
sign a message m given utilization of the secret key sj sequence 
stored at the subscriber A, i.e. in the chip card: 

1. The subscriber A again selects a random number r 
and, as already set forth in conjunction with the identity 
check, calculates a x value according to the relationship 



The number pair x, y then yields what is referred to as 
the electronic signature of the message m. The two 
security numbers k and t preferably lie in the range 
between 1 and 20. They yield a security level 2*', i.e. at 
least 2 kt multiplications (modulo p) are needed for coun- 
terfeiting the signature or, respectively, the identity. 
For example, k= 1 and t =72 yields a security level 2 72 
that is adequate for signatures. 

Proceeding on the basis of this signature formed by 
the number x and y, whereby both numbers are at least 
512 bits long, various possibilities of abbreviating the 
signature derive. One of the possibilities provides that 
the number x be replaced by the hash value e=h(x, m) 
that is only 72 bits long. The signature is now composed 
of only y and e values (see FIG. 4). A next step is com- 
prised in no longer taking the numbers y, r, s/in the size 
of the modulo p, but of only small numbers for y, r, s ; - 
that, however, are at least 140 bits long for the security 
level 2 72 . An especially simple possibility of achieving 
short signatures is comprised therein that the prime 
number modulus p is selected such that a second prime 
number q divides the value (p— 1), whereby q is 140 bits 
long. The base 2 is then replaced by a number a, so that 



35 



40 



45 



a* = \{mod p), at£](mod p) 

applies. It follows therefrom that all discrete logarithms 
can be calculated modulo q, i.e. logarithms for the se- 
lected number a are calculated, whereby all logarithms 
can then lie in the range from 1 through q. This has the 
advantage that a number that is smaller than q derives 
for the y value of the signature. Proceeding from the 
random number r 



from 



a r (mod p) 



calculated therefrom as well as from the arbitrary bit 



and from the number y 



x:—2 r {mod p). 

Here also, of course, there is the possibility of accessing 
the stored supply and directly calling in the random 
numbers r and the appertaining . x value. 

2. The subscriber A now forms a hash value e from 
the message m and from the calculated x value or, re- 
spectively, from the x value taken from the supply, 
according to the relationship 

e:=.h(jt.m)€{Q,\) kt 

where h is thereby a publicly known hash function 
having values in {0,1}*'. 



55 



k t 
y; «* r + I si £ 



ctj 2'" 



(mod q) 



60 



65 



calculated therefrom, a total length of 212 bits now 
derives from the signature formed from the numbers y 
and e with y=140 bits and e=72 bits. A signature ab- 
breviated in this manner has the security level of 2 72 , i.e. 
approximately multiplications modulo p are required in 
order to counterfeit a signature. 

The following steps are performed by the subscriber 
B, i.e. in the terminal for verification of a signature 
composed of the numbers x and y. First, as shown in 
FIG. 3, 
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lated with t additions and the new- number x v can be 
c=h{x. muo.1) ' calculated with t multiplication. Another rejuvenation 

..... .. . 4 . iL . . of the pair (r v , x v ) is possible according to the rule 

is calculated and the equality test is then implemented r ° 

such that the x value calculated according to the equa- 5 

ti0n r*<", = ^ + ^ (m ° dP * l> 



. (mod p) 

X = V 7T Vy .2 ey 2 1 " 1 Jttw. _ v otd „ r ^ 



(mod p) 



;=i 10 



is spared to the x value of the signature. The calculation of the new value r v is produced here 

Given abbreviated signatures in which x is= replaced . . , ./.. ft . T , K . * 

by e, the verification according to FIG. S occurs in such "V ^ ™£ ♦ " *■ 

a fashion that calculated with 2t multiplications. Beginning with z== I, 

15 the steps 

k (mod p) 

x s 2 ^ it // 1 r/2''-' e-Woc/Kmorf^zro^inodp). 

are implemented for this purpose with the index i de- 
is first calcuiated.ancU check is then carried out to see 20 scendihg from t to 1. The new value x„ is obtained as a 
whether the number x supplies the correct e value. The product of the oJd va | ue with the most-recently calcu^ 
latter occur* in that a check is corned out to see ^ number Le> according to the ru!c 
whether the hash value h(x, m) coincides with the value 

e - x^.^x^mod p). 

Only relatively slight calculating tasks must be pro- 25 

duced in the chip card both in the identification proto- In the rejuvenation, the selection a (t)=fi has the 

col and the signature protocol. Although the secret key rcsuU that a number r.that was just rejuvenated is mul- 

s, must still be multpLed by relatively small numbers in ti Hed b the hi hesl £ ower of 2 ^ lesids t0 an 

S^SSfJ cLT^ 3* ^ ™?£P lj ^ OT ™ * cially efTective rejuvenation of the supply. It is advan*. 
resolved into simple additions and shift events, what are 30 * 1 • / \ > * • *> 

referred to shifts, whereby the product of s, and ey ge0US * ' empl ° y \ Tl ^ K ^ L* a ^ atoe ^ ls /°™ ed 
merely has to be shifted i-1 positions toward the left. 35 *™ do ™ combination of the pairs just stored. Inter- 
The random number r, finally, is then to be attached to m r e dmtc yalucs * at anse anyway given the rejuvenation 
this intermediate result by addition. of Xv m well suited for this purpose. 

Although the calculation of the number 15 , °* course ' these rejuvenation processes for the pair 

(r Vt x^) can be combined and varied. The only matter of 
x=2 r (/norf p) consequence is that the rejuvenation occurs as quickly 

as possible and cannot be duplicated from the signatures 
is also involved, it can be practically neglected in terms that have been performed. A small number t is thereby 
of time expenditure due to the aforementioned prelimi- ^ expediently employed; the rejuvenation cannot be dis- 
nary process when x values corresponding to a few covered when the supply of numerical pairs — i.e. the 
random numbers are calculated in advance and a plural- number K — is adequately large. It is advantageous to 
ity of pairs of numbers composed of r values and x co-employ the key pairs sy, vy in the rejuvenation; for 
values are stored as a supply. example, a cipher pair sy, vj) can be selected for a num- 

In order to prevent having the same number of pairs ber pair (r^i), Xa<o). Given t =6 and Ic ^ 10, the rejuve- 
being used over and over again at regular intervals nation of a number pair requires only 6 or, respectively, 
given a limited plurality of pairs, a rejuvenation is car- 12 multiplications that can be implemented more or less 
ried out insofar as each pair, after use, is subsequently incidently, for example when no other arithmetic opera- 
combined with other, potentially all pairs of the supply, tions are to be executed in the terminal, 
in particular again in a random fashion. The result The versatile possibilities of rejuvenating the number 
thereof is that the supply is rejuvenated and varied over 3U pairs {fvf Xy) can ^ differently used in each chip card, 
and over, little by little, For e ^ the mdices a(1) a(l31 {) and the 

As an example of such a rejuvenation, let it be as- combmation of the ciphcr pairs of the suppIy can be 
sumed that a supply of k number pairs (r, x,) is present differently fashioned in each chi card . A d l covery of 

hSta 1 ^ In » rnt venation process is practicaily impossibie in this 

nS^ * of the *^^ ulft? ^ 

according to the rule numbers n must be small so that the y part of the signa- 

ture also remains small. This is achieved in a simple 
60 manner in that the base a for which a 140 bit long prime 
r* ew t = r °J d + 1 fmod ^ number q is selected for the discrete logarithms, so that 

,== 1 ctf= l(mod p) is valid. The rejuvenation of the random 

(mod p) numbers r,y of course, is then calculated modulo q, i.e. 
*w = x ° m • I x tJle moduIus P — 1 is replaced by the modulus q. 

v . = x v 55 Although I have described my invention by reference 

to particular illustrative embodiments thereof, many 
The relationship x = 2 /v (raod p) again holds true for changes and modifications.of the invention may become 
the new pair (rs4, x v ). The new number t v can be calcu- apparent to those skilled in the art without departing 
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from the spirit and scope of the invention. I therefore 
intend to include within the patent warranted hereon all 
such changes and modifications as may reasonably and 
properly be included within the scope of my contribu- 
tion to the art. 
I claim: 

1. In a method for mutual identification of subscribers 
in a data exchange system working with processor chip 
cards and using identification data coded into the cards 
by a card-issuing center including subscriber- related 
public keys and stored in the respective chip cards 
along with private keys which have a logical relation- 
ship to the public keys, whereby random number- 
dependent check data are exchanged between the sub- 
scribers, comprising the steps of: 
transmitting from a chip card the coded identification 
data together with a signature of the center to a 
subscriber entering into an information exchange 
with the chip card; 
at the subscriber checking the correctness of the 20 
coded identification data with reference to known 
information including a public list or reference to 
the signature of the center; 
forming in the chip card a x value proceeding from a 
random, discrete logarithm re(l, . . . , p— 1), where 
p is a declared prime number modulus, and accord- 
ing to the rule 



25 



x:~V{mod p): 

transmitting the x value to the subscriber; 
transmitting from the subscriber a random bit se- 
quence 



to the chip card; 

multiplying the stored, private key sj representing a 
discrete logarithm with a binary number formed 
from the bits of the random bit sequence e transmit- 
ted from the subscriber to the chip card and adding 
the random number r allocated to the previously- 
transmitted x value to calculate, at the chip card, a 
number y according to the rule 



45 



k t 
y: — r + X si £ < 

7=1 J i=i 



1 (mod p - 1) 



from the generated random number r; 
forming a random bit sequence as a function of the x 
value of a message m and of a declared hash func- 
tion h according to the rule 

e:=h(x.m)t{0.\} kt : 

calculating a y value from the random number r, from 
the private cipher s/ stored in the chip card and 
from the random bit sequence e according to the 
rule 



15 



k i 
■■ r + I Si 2 

y»i w=i 



2'-'; 



(mod p*l) 
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transmitting the message ra and the signature formed 
from the value x and y to the subscriber which is in 
information exchange with the chip card. 
3. A method for generating an abbreviated signature 
for a message to be transmitted in a data exchange sys- 
tem according to the method of claim 1, and further 
comprising steps defined as: 

at the chip card, generating a random number r lying 
in the range between 1 and the prime number mod- 
ulus (p— 1); 

at the chip card, calculating a x value from the ran- 
dom number r according to the rule 

x:=¥(mod p)\ 

at the chip card, calculating a random bit sequence e 
as a function of the x value and of the message 
according to the rule 



35 



40 



e:=h{x ,m)e(0,l)*'; 

at the chip card, calculating a y value from the ran- 
dom number r, from the secret key syand from the 
random bit sequence e according to the rule 



(mod p-1) 



transmitting the number y to the subscriber; 
at the subscriber, calculating a number x with refer- 50 
ence to the number y according to the rule 



2> v vi 2 €( 1 2'~ 



(mod p); 
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checking the identity of the chip card user by com- 
paring the calculated number x and the x value 
previously communicated to the subscriber. 

2. A method for generating a signature according to 
the method of claim 1, wherein: 

the step of forming a x value is further defined as 
generating a random number r within the range of 
between 1 and the prime number modulus (p— 1) 
and calculating the x value according to the rule 

x:=2 r (mod p) 



60 
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transmitting from the chip card the message m and 
the signature formed from the values e and y to the 
subscriber which is information exchange with the 
chip card. 

4. The method of claim 3, and further comprising the 
steps of: 

generating a plurality of the random numbers r and a 
plurality of x values and storing the same in pairs in 
the chip card; 

employing one of the pairs of stored random numbers 
r and x values (r v , x v ) in an identification procedure 
and varying the pair in such a manner that a ran- 
dom number r, after use thereof, is combined with 
a random selection of the remaining, stored ran- 
dom numbers; and 

calculating the appertaining x value with the rejuve- 
nated random number and storing the same with 
the rejuvenated random number r as a rejuvenated 
pair. 

5. The method of claim 4, and further defined as 
comprising: 

storing the plurality of random numbers r/ t . . . a* and 
their appertaining x v =2 ,v (mod p) in the chip card; 
and 
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rejuvenating the pair (r, x) used in an identification 
procedure and/or a signature procedure by ran- 
dom selection (r fl (0), x a {,j) of the pairs for i = 1, 

, t in accordance with 



i« 1 



*° W IT T 2 ' 

x v ' ff x aii)- 



(mod p-l) 
(mod p) 



10 
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a*= 1 (modp), a+ t (mod p) 

holds true; and 
calculating discrete logarithms y, r, sy modulo q such 
that key components s/and v/are in the relationship 

vy-a- J /m«/p). 25 

7. The method of claim 6, and further defined as: 
selecting the secret key s/and the random numbers (r) 

such that the bit lengths of the numbers $/, r and y 
are shorter than the length of the prime number }Q 
modulus p. 

8. The method of claim 6, and further defined as: 
selecting finite groups for the formation of the dis- 
crete logarithm instead of the finite groups that 
arise on the basis of residual class modulo p. 

9. The method of claim 8, and further defined as: 
selecting one from the groups consisting of the Z„*, 

the group of invertible residue classes modulo q 



14 



6. The method of claim 5, and further defined as: 
selecting the prime number modulus p such that the 
number (p— 1) is divisible by a prime number q and 15 
by such a selection of the base a of a discrete loga- 
rithm that 



composite number r, a group of units of a finite 
field, and an elliptic curve over a finite field as a 
finite group. 

10. A method for the verification of a signature (x,y) 
generated according to. the method of claim 2 at the 
subscriber receiving the signed message m, comprising 
the steps of: 

calculating a random bit sequence e from the message 
m and from the x value of the signature according 
to the rule 

calculating an x value according to the rule 



(mod p) 



J - 2>' IT 
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from the random bit sequence e, from the public 
cipher v and from the y value of the signature; and 
comparing the. calculated x value with the x value of 

the signature. 
11. A method for verifying an abbreviated signature 
generated according to the method of claim 3 at the 
subscriber receiving the signed message m comprising 
the steps of: 

calculating a number x from the transmitted message 
m and from the signature (e, y) according to the 
rule 



x = V it v; X f/y?-- 1 (modp); 
7=1 /=I 

checking the value e_of the signature for coincidence 

with the value h (x , m). 

***** 
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